Download A Copy HERE
Privacy Policy
Introduction
The primary purpose of this policy is to set out Origin Safety Limited’s (hereafter Origin’s) approach on the handling and processing of the personal data of individuals and organisations it interacts with.
It has been produced in response to the General Data Protection Regulation (GDPR) (Reference 1), and has been reviewed by The Directors and accepted for adoption into Origin’s Business and Quality Management System (BQMS) (Reference 2) with immediate effect. Its content is based on that published by the Information Commissioners’ Office (at References 3 and 4 respectively).
The GDPR came into effect on 25th May 2018 and organisations, both commercial and noncommercial holding personal data, are required to comply with this.
The detail contained within this Policy on Personal Data has been written to capture the key elements of GDPR and is proportionate to the size of Origin, the nature of its work and the kind(s) of data typically stored. As with all Origin policy contained in the BQMS, this Policy is subject to further review and amendment as deemed appropriate and necessary by The Directors.
Treatment of Personal Data
Description, Sources, Usage
Origin holds personal data on its data stakeholders (Staff, Clients, Associates and other contracting agencies) in the following forms:
• Curriculum Vitae (CVs) – Work experience / history and qualifications, areas of technical specialism / interest;
• Contact details - e.g. postal address, email address(s), phone number(s);
• Invoicing records – e.g. invoices paid and received, bank account details including sort codes and account numbers.
Note that the above is a generalised list only; not all forms described apply to each stakeholder group. For example, CVs would not normally be expected to be held for clients and contracting agencies. The source of personal data is provided by the data stakeholder generally during the initial stages of any engagement with Origin.
The data is manually updated as and when business needs dictate (e.g. change of client or associate address) and is necessary to facilitate Origin’s day to day running as a commercial business. As such Origin shall only use personal data for the purposes of administrating its business activities. This mainly relates to sending invoices and CV’s to clients, agenda for meetings, distribution of minutes etc.; it will never sell nor disclose such information to any third party unless ordered to do so by some legal authority such as a High Court.
Note that in exceptional circumstances the Directors may also process information relating to the investigation of any alleged misconduct of its staff or an Associate, in accordance with the BQMS.
Storage and Access
The master database for retaining all files containing personal data is held electronically on Microsoft OneDrive and is backed up on the Directors’ Personal Computers (PCs). OneDrive is a password protected secure system and access to the Directors’ PCs is also password and/or biometrically protected.
The primary purpose of this policy is to set out Origin Safety Limited’s (hereafter Origin’s) approach on the handling and processing of the personal data of individuals and organisations it interacts with.
It has been produced in response to the General Data Protection Regulation (GDPR) (Reference 1), and has been reviewed by The Directors and accepted for adoption into Origin’s Business and Quality Management System (BQMS) (Reference 2) with immediate effect. Its content is based on that published by the Information Commissioners’ Office (at References 3 and 4 respectively).
The GDPR came into effect on 25th May 2018 and organisations, both commercial and noncommercial holding personal data, are required to comply with this.
The detail contained within this Policy on Personal Data has been written to capture the key elements of GDPR and is proportionate to the size of Origin, the nature of its work and the kind(s) of data typically stored. As with all Origin policy contained in the BQMS, this Policy is subject to further review and amendment as deemed appropriate and necessary by The Directors.
Treatment of Personal Data
Description, Sources, Usage
Origin holds personal data on its data stakeholders (Staff, Clients, Associates and other contracting agencies) in the following forms:
• Curriculum Vitae (CVs) – Work experience / history and qualifications, areas of technical specialism / interest;
• Contact details - e.g. postal address, email address(s), phone number(s);
• Invoicing records – e.g. invoices paid and received, bank account details including sort codes and account numbers.
Note that the above is a generalised list only; not all forms described apply to each stakeholder group. For example, CVs would not normally be expected to be held for clients and contracting agencies. The source of personal data is provided by the data stakeholder generally during the initial stages of any engagement with Origin.
The data is manually updated as and when business needs dictate (e.g. change of client or associate address) and is necessary to facilitate Origin’s day to day running as a commercial business. As such Origin shall only use personal data for the purposes of administrating its business activities. This mainly relates to sending invoices and CV’s to clients, agenda for meetings, distribution of minutes etc.; it will never sell nor disclose such information to any third party unless ordered to do so by some legal authority such as a High Court.
Note that in exceptional circumstances the Directors may also process information relating to the investigation of any alleged misconduct of its staff or an Associate, in accordance with the BQMS.
Storage and Access
The master database for retaining all files containing personal data is held electronically on Microsoft OneDrive and is backed up on the Directors’ Personal Computers (PCs). OneDrive is a password protected secure system and access to the Directors’ PCs is also password and/or biometrically protected.
Associates are provided access to OneDrive’s data files on a restricted basis. For example
permissions are set up limiting their access to that of clients / contracting agencies they are
directly involved with on Origin’s behalf. Associates are also required to formally acknowledge
and confirm ongoing compliance with the requirements of this Privacy Policy, including
aspects relating to Confidentiality.
Rights as Individuals
Under GDPR, individuals have the following rights:
• Right to be informed; • Right of access;
• Right to rectification; • Right to erasure;
• Right to restrict processing;
• Right to data portability;
• Right to object; and
• Right not to be subject to automated decision-making including profiling.
Under GDPR (Reference 1) requests from personal data stakeholders must be dealt with within one calendar month, though most cases are not expected to take this long. Data stakeholders also have a right as individuals to complain to the ICO if they think there is a problem with the way Origin is handling their data.
Retention Periods
Unless a request is received to delete personal information, Origin may retain such data for an indefinite period. However, such data will not be disclosed to any third party, unless required to do so by legal authority such as a High Court.
Data Breaches
Because of Origin’s size and nature, a data protection officer is disproportionate to requirements and shall not be appointed. However any data breach may be reported by any Origin Director / Office Holder. Origin’s Directors are then collectively responsible for investigating any breaches they are made aware of, and for putting in place preventative measures as may be deemed appropriate and necessary.
Rights as Individuals
Under GDPR, individuals have the following rights:
• Right to be informed; • Right of access;
• Right to rectification; • Right to erasure;
• Right to restrict processing;
• Right to data portability;
• Right to object; and
• Right not to be subject to automated decision-making including profiling.
Under GDPR (Reference 1) requests from personal data stakeholders must be dealt with within one calendar month, though most cases are not expected to take this long. Data stakeholders also have a right as individuals to complain to the ICO if they think there is a problem with the way Origin is handling their data.
Retention Periods
Unless a request is received to delete personal information, Origin may retain such data for an indefinite period. However, such data will not be disclosed to any third party, unless required to do so by legal authority such as a High Court.
Data Breaches
Because of Origin’s size and nature, a data protection officer is disproportionate to requirements and shall not be appointed. However any data breach may be reported by any Origin Director / Office Holder. Origin’s Directors are then collectively responsible for investigating any breaches they are made aware of, and for putting in place preventative measures as may be deemed appropriate and necessary.
Origin also has an obligation to report any data breaches to the ICO, should they have the
potential to result in discrimination, damage to reputation, financial loss, loss of confidentiality
or any other significant economic or social disadvantage to any personal data stakeholder.
Privacy Notice
A copy of Origin’s Privacy Notice is as follows to be sent to all data stakeholders is as follows:
A copy of Origin’s Privacy Notice is as follows to be sent to all data stakeholders is as follows:
‘I give my consent for my personal data to be used for the proper
administration of Origin Safety Limited, in accordance with the terms of its
Privacy Policy. I have also been informed of my rights under General Data
Protection Regulation (GDPR) (regulation EU 2016/679) within the Privacy
Policy OSL-0064’
All data stakeholders will be requested to give their CONSENT to Origin holding and processing personal data on initial engagement with Origin. It is important to note that under GDPR consent must be freely given, specific, informed and unambiguous – as such a positive ‘YES’ response will be requested.
All data stakeholders will be requested to give their CONSENT to Origin holding and processing personal data on initial engagement with Origin. It is important to note that under GDPR consent must be freely given, specific, informed and unambiguous – as such a positive ‘YES’ response will be requested.
Nil-Responders will be contacted directly by a Director and / or the relevant Project Manager
prior to any further processing of personal data. The concept of explicit consent is important,
as it forms the lawful basis for Origin’s use and processing of members personal data.
References
1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2. Business and Quality Management System, Origin Safety Limited, OSL-0040, as amended.
3. Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now, Information Commissioners Office, V2.0 20170525
4. Guide to the General Data Protection Regulation (GDPR), Information Commissioners Office, available at URL: https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr
1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
2. Business and Quality Management System, Origin Safety Limited, OSL-0040, as amended.
3. Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now, Information Commissioners Office, V2.0 20170525
4. Guide to the General Data Protection Regulation (GDPR), Information Commissioners Office, available at URL: https://ico.org.uk/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr